2024-03-17 00:30:57 +09:00
|
|
|
# syntax=docker/dockerfile:1
|
|
|
|
|
|
|
|
##
|
|
|
|
## Build
|
|
|
|
##
|
|
|
|
FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/alpine-base:3.19-latest AS build
|
|
|
|
|
|
|
|
WORKDIR /usr/local/src
|
|
|
|
ARG VERSION="1.25.4"
|
|
|
|
|
2024-03-20 09:30:14 +09:00
|
|
|
ARG MODSEC_VER=3.0.12
|
|
|
|
ARG MODSEC_NGX_VER=1.0.3
|
|
|
|
ARG OWASP_CRS_VER=4.0.0
|
|
|
|
|
2024-03-17 00:30:57 +09:00
|
|
|
### Fetch Build Dependencies
|
|
|
|
COPY patch /usr/local/src/patch
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
apk --no-cache add \
|
|
|
|
autoconf \
|
|
|
|
automake \
|
|
|
|
build-base \
|
|
|
|
libtool \
|
|
|
|
musl-utils \
|
|
|
|
util-linux \
|
|
|
|
util-linux-dev \
|
|
|
|
tar \
|
|
|
|
openssl-dev \
|
|
|
|
pcre2-dev \
|
|
|
|
linux-headers \
|
|
|
|
libatomic_ops-dev \
|
|
|
|
zlib-dev \
|
|
|
|
libaio-dev \
|
|
|
|
bash \
|
|
|
|
alpine-sdk \
|
|
|
|
cmake \
|
|
|
|
git \
|
2024-03-20 09:30:14 +09:00
|
|
|
findutils \
|
|
|
|
pkgconf \
|
|
|
|
#mod security
|
|
|
|
byacc \
|
|
|
|
flex \
|
|
|
|
libxml2-dev \
|
|
|
|
lmdb-dev \
|
|
|
|
yajl-dev \
|
|
|
|
zlib-dev \
|
|
|
|
libfuzzy2-dev
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
mkdir -p /usr/local/src/modsecurity && \
|
|
|
|
wget -qO - "https://github.com/owasp-modsecurity/ModSecurity/releases/download/v${MODSEC_VER}/modsecurity-v${MODSEC_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/modsecurity && \
|
|
|
|
cd /usr/local/src/modsecurity && \
|
|
|
|
./build.sh && \
|
|
|
|
./configure \
|
|
|
|
--prefix=/opt/modsecurity \
|
|
|
|
# --disable-debug-logs \
|
|
|
|
--with-pcre2=yes \
|
|
|
|
--with-libxml=yes \
|
|
|
|
--with-curl=no \
|
|
|
|
--with-ssdeep=yes \
|
|
|
|
--with-lmdb=yes \
|
|
|
|
--with-yajl=yes \
|
|
|
|
--with-lua=no \
|
|
|
|
--with-geoip=no \
|
|
|
|
--with-maxmind=no \
|
|
|
|
--disable-examples \
|
|
|
|
--disable-doxygen-doc \
|
|
|
|
&& \
|
|
|
|
CFLAGS="-Wno-error -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \
|
|
|
|
CPPFLAGS="-Wno-error -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \
|
|
|
|
LDLAGS='-Wl,-Bsymbolic-functions -flto=auto -Wl,--as-needed -pie -Wl,-z,relro -Wl,-z,now -Wl,-Bsymbolic -Wl,--gc-sections -fPIC -flto=auto -ffat-lto-objects' \
|
|
|
|
make -j `nproc` && \
|
|
|
|
make install && \
|
|
|
|
find /opt/modsecurity && \
|
|
|
|
ldd /opt/modsecurity/lib/libmodsecurity.so && \
|
|
|
|
rm -fr \
|
|
|
|
/opt/modsecurity/lib/libmodsecurity.a && \
|
|
|
|
/opt/modsecurity/lib/libmodsecurity.la
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
mkdir -p /usr/local/src/modsecurity-nginx && \
|
|
|
|
wget -qO - "https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v${MODSEC_NGX_VER}/modsecurity-nginx-v${MODSEC_NGX_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/modsecurity-nginx
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
mkdir -p /opt/owasp-crs && \
|
|
|
|
wget -qO - "https://github.com/coreruleset/coreruleset/archive/refs/tags/v${OWASP_CRS_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /opt/owasp-crs && \
|
|
|
|
mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
|
2024-03-17 00:30:57 +09:00
|
|
|
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli && \
|
|
|
|
cd ngx_brotli/deps/brotli && \
|
|
|
|
mkdir out && \
|
|
|
|
cd out && \
|
|
|
|
# -DCMAKE_CXX_FLAGS="-O3 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" \
|
|
|
|
cmake \
|
|
|
|
-DCMAKE_BUILD_TYPE=Release \
|
|
|
|
-DBUILD_SHARED_LIBS=OFF \
|
|
|
|
-DCMAKE_C_FLAGS="-O3 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" \
|
|
|
|
-DCMAKE_INSTALL_PREFIX=./installed .. \
|
|
|
|
&& \
|
|
|
|
cmake --build . --config Release --target brotlienc
|
|
|
|
|
|
|
|
# git clone https://github.com/yaoweibin/nginx_upstream_check_module && \
|
|
|
|
RUN set -xeu && \
|
|
|
|
git clone https://github.com/openresty/headers-more-nginx-module
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
mkdir -p /usr/local/src/nginx && \
|
2024-03-20 09:30:14 +09:00
|
|
|
wget -qO - "https://nginx.org/download/nginx-${VERSION}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/nginx && \
|
2024-03-17 00:30:57 +09:00
|
|
|
cd /usr/local/src/nginx && \
|
|
|
|
for i in /usr/local/src/patch/*.patch; do \
|
|
|
|
echo "Applying ${i}..." && \
|
|
|
|
patch -Np1 -i "$i"; \
|
|
|
|
done && \
|
2024-03-20 09:30:14 +09:00
|
|
|
|
|
|
|
MODSECURITY_LIB="/opt/modsecurity/lib" \
|
|
|
|
MODSECURITY_INC="/opt/modsecurity/include" \
|
2024-03-17 00:30:57 +09:00
|
|
|
./configure \
|
|
|
|
--build="amazing from here" \
|
|
|
|
--with-cc-opt="-Wno-error -DTCP_FASTOPEN=23 -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \
|
|
|
|
--with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -Wl,--as-needed -pie -Wl,-z,relro -Wl,-z,now -Wl,-Bsymbolic -Wl,--gc-sections -fPIC -flto=auto -ffat-lto-objects' \
|
|
|
|
--prefix=/opt/nginx \
|
|
|
|
--add-module=/usr/local/src/headers-more-nginx-module \
|
|
|
|
--add-module=/usr/local/src/ngx_brotli \
|
2024-03-20 09:30:14 +09:00
|
|
|
--add-dynamic-module=/usr/local/src/modsecurity-nginx \
|
|
|
|
--modules-path=modules \
|
2024-03-17 00:30:57 +09:00
|
|
|
--conf-path=etc/nginx.conf \
|
|
|
|
--pid-path=tmp/nginx.pid \
|
|
|
|
--lock-path=tmp/nginx.lock \
|
|
|
|
--without-select_module \
|
|
|
|
--without-poll_module \
|
|
|
|
--with-threads \
|
|
|
|
--with-file-aio \
|
|
|
|
--with-http_ssl_module \
|
|
|
|
--with-http_v2_module \
|
|
|
|
--with-http_v3_module \
|
|
|
|
--with-http_realip_module \
|
2024-03-20 09:30:14 +09:00
|
|
|
--with-http_gunzip_module \
|
2024-03-17 00:30:57 +09:00
|
|
|
--with-http_gzip_static_module \
|
|
|
|
--without-http_ssi_module \
|
|
|
|
--without-http_userid_module \
|
|
|
|
--without-http_auth_basic_module \
|
|
|
|
--without-http_fastcgi_module \
|
|
|
|
--without-http_uwsgi_module \
|
|
|
|
--without-http_scgi_module \
|
|
|
|
--without-http_memcached_module \
|
|
|
|
--without-http_browser_module \
|
|
|
|
--http-client-body-temp-path=tmp/client_body \
|
|
|
|
--http-proxy-temp-path=tmp/proxy \
|
|
|
|
--without-mail_smtp_module \
|
|
|
|
--without-mail_imap_module \
|
|
|
|
--without-mail_pop3_module \
|
2024-03-20 09:30:14 +09:00
|
|
|
--with-stream=dynamic \
|
2024-03-17 00:30:57 +09:00
|
|
|
--with-stream_ssl_module \
|
|
|
|
--with-stream_realip_module \
|
|
|
|
--with-stream_ssl_preread_module \
|
|
|
|
--with-pcre \
|
|
|
|
--with-pcre-jit \
|
|
|
|
--with-libatomic && \
|
|
|
|
make -j `nproc` && \
|
|
|
|
make install && \
|
|
|
|
ldd /opt/nginx/sbin/nginx && \
|
2024-03-20 09:30:14 +09:00
|
|
|
# find /opt/nginx/modules -type f -name '*.so' -print0 |awk -F'\0' '{printf("echo \"library %s\";ldd \"%s\"\n",$0,$0)}' |sh && \
|
2024-03-17 00:30:57 +09:00
|
|
|
find /opt/nginx && \
|
|
|
|
cat /opt/nginx/etc/nginx.conf && \
|
|
|
|
rm -r /opt/nginx/html/ && \
|
|
|
|
mkdir /opt/nginx/etc/conf.d/ && \
|
|
|
|
mkdir -p /opt/nginx/html/ && \
|
|
|
|
install -m644 html/index.html /opt/nginx/html/ && \
|
|
|
|
install -m644 html/50x.html /opt/nginx/html/ && \
|
|
|
|
ln -sf /dev/stdout /opt/nginx/logs/access.log && \
|
|
|
|
ln -sf /dev/stderr /opt/nginx/logs/error.log && \
|
|
|
|
cd /opt/nginx && \
|
|
|
|
rm \
|
|
|
|
etc/fastcgi_params \
|
|
|
|
etc/fastcgi_params.default \
|
|
|
|
etc/fastcgi.conf \
|
|
|
|
etc/fastcgi.conf.default \
|
|
|
|
etc/uwsgi_params \
|
|
|
|
etc/uwsgi_params.default \
|
|
|
|
etc/scgi_params \
|
|
|
|
etc/scgi_params.default && \
|
|
|
|
ldd sbin/nginx && \
|
|
|
|
strip -X -x -s -v sbin/nginx
|
|
|
|
|
2024-03-20 09:30:14 +09:00
|
|
|
RUN set -xeu && \
|
|
|
|
mkdir /opt/modsecurity/etc && \
|
|
|
|
mkdir -p /opt/nginx/logs/audit && \
|
|
|
|
cp -af /usr/local/src/modsecurity/modsecurity.conf-recommended /opt/modsecurity/etc/modsecurity.conf && \
|
|
|
|
cp -af /usr/local/src/modsecurity/unicode.mapping /opt/modsecurity/etc/unicode.mapping
|
|
|
|
|
2024-03-17 00:30:57 +09:00
|
|
|
##
|
|
|
|
## PKG
|
|
|
|
##
|
|
|
|
FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/alpine-base:3.19-latest AS pkg
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
mkdir pkgs output &&\
|
|
|
|
apk --no-cache \
|
|
|
|
fetch -R -o pkgs \
|
|
|
|
openssl \
|
|
|
|
pcre2 \
|
|
|
|
zlib \
|
|
|
|
musl-utils \
|
2024-03-20 09:30:14 +09:00
|
|
|
#modsecurity
|
|
|
|
xz-libs \
|
|
|
|
libxml2 \
|
|
|
|
libfuzzy2 \
|
|
|
|
lmdb \
|
|
|
|
yajl \
|
|
|
|
libstdc++ \
|
2024-03-17 00:30:57 +09:00
|
|
|
&& \
|
|
|
|
rm -f \
|
|
|
|
pkgs/busybox-*.apk \
|
|
|
|
pkgs/ca-certificates-*.apk \
|
|
|
|
pkgs/libcrypto3-*.apk \
|
|
|
|
pkgs/libssl3-*.apk \
|
|
|
|
pkgs/ssl_client-*.apk && \
|
|
|
|
find pkgs -type f -name '*.apk' -print0 |awk -F'\0' '{printf("echo \"extracting %s\";tar -zxf \"%s\" -C output || exit 1\n",$0,$0)}' |sh && \
|
|
|
|
find output -type f -name '.*' -delete
|
|
|
|
|
|
|
|
##
|
|
|
|
## Deploy
|
|
|
|
##
|
|
|
|
FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/minimal-toolbox:3.19-latest
|
|
|
|
|
|
|
|
COPY --from=build /opt/nginx /opt/nginx
|
2024-03-20 09:30:14 +09:00
|
|
|
COPY --from=build /opt/owasp-crs /opt/owasp-crs
|
|
|
|
COPY --from=build /opt/modsecurity /opt/modsecurity
|
2024-03-17 00:30:57 +09:00
|
|
|
COPY --from=pkg output /pkg
|
2024-03-20 09:30:14 +09:00
|
|
|
COPY --from=build /opt/nginx /opt/nginx
|
|
|
|
COPY modsecurity.d /opt/modsecurity/etc
|
2024-03-17 00:30:57 +09:00
|
|
|
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
cp -af /pkg/* / && \
|
|
|
|
rm -rf /pkg
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
mkdir /docker-entrypoint.d
|
|
|
|
|
|
|
|
COPY nginx.conf /opt/nginx/etc/nginx.conf
|
|
|
|
COPY nginx.vh.no-default.conf /opt/nginx/etc/conf.d/default.conf
|
|
|
|
COPY docker-entrypoint.sh /
|
|
|
|
COPY /docker-entrypoint.d /docker-entrypoint.d
|
|
|
|
|
|
|
|
RUN set -xeu && \
|
|
|
|
mkdir -p /usr/local/sbin && \
|
|
|
|
ln -sf /opt/nginx/sbin/nginx /usr/local/sbin/nginx && \
|
|
|
|
mkdir -p /opt/nginx/etc/templates \
|
|
|
|
/opt/nginx/etc/stream-conf.d \
|
|
|
|
/opt/nginx/etc/conf.d \
|
|
|
|
/opt/nginx/tmp \
|
|
|
|
/opt/nginx/logs && \
|
|
|
|
chown -R 1000:1000 \
|
|
|
|
/opt/nginx/etc \
|
|
|
|
/opt/nginx/tmp \
|
2024-03-20 09:30:14 +09:00
|
|
|
/opt/nginx/logs && \
|
|
|
|
ln -sf ./conf.d/core-extra /opt/nginx/etc/nginx.extra.conf
|
2024-03-17 00:30:57 +09:00
|
|
|
|
|
|
|
WORKDIR /opt/nginx
|
|
|
|
|
|
|
|
LABEL org.opencontainers.image.authors="Sangbum Kim <sangbumkim@amuz.es>"
|
|
|
|
|
|
|
|
EXPOSE 8080 8443 8443/udp
|
|
|
|
|
|
|
|
STOPSIGNAL SIGQUIT
|
|
|
|
|
|
|
|
|
|
|
|
ENTRYPOINT [ "/sbin/tini", "-s", "--", "/docker-entrypoint.sh"]
|
|
|
|
|
|
|
|
USER 1000:1000
|
|
|
|
|
|
|
|
VOLUME ["/opt/nginx/etc/conf.d", "/opt/nginx/html", "/opt/nginx/tmp", "/opt/nginx/logs"]
|
|
|
|
ENV PATH="/opt/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
2024-03-21 02:26:44 +09:00
|
|
|
CMD ["nginx", "-g", "daemon off;"]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# buildah push 95713466eb harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1-amd64-musl
|
|
|
|
# podman push 465bf7f815c2 harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1-arm64-musl
|
|
|
|
# podman manifest create \
|
|
|
|
# harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1 \
|
|
|
|
# harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1-amd64-musl \
|
|
|
|
# harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1-arm64-musl
|
|
|
|
# podman push ba59d3263 harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1
|
|
|
|
# podman push ba59d3263 harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25-latest
|
|
|
|
# podman push ba59d3263 harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:latest
|
|
|
|
|
|
|
|
|